Research On Android Malware Detection Method Based On Multiview Co-training Classification

Due to ease of use and openness, Android mobile phone system quickly occupied the largest share of the smart phone operating system market. And its openness has also led to the security problems. Since 2010, a large number of Android malware outbreak developed, and a variety of types. The number of malicious software has exceeded the capacity of manual analysis. With the further research in the field of machine learning, using machine learning methods to identify the mass of malicious software has become a trend. But based on machine learning Android malware detection method has some potential problems, this paper concerns three problems: 1. For new types of Android malware, the number of samples can be collected is limited, which will make the process of learning is not sufficient to lead to the final identification accuracy of malicious software is reduced. 2. With the development of the Android anti reverse analysis technology, the static analysis method based on the anti compilation method will not work. A redundant feature of Android software is too much, some feature dimensions can not provide support for the correct identification of malicious software, but will play the opposite role.In order to solve the problem of low accuracy of Android malware detection based on machine learning in the case of less known samples, Co-training Classification Multi-view detection method is proposed. The method divides features of an APK into two sub-view, permission-view and API-view, after APK is decompiled by apktool. Build two classifiers on the two sub-views, and co-training them by collaborative training algorithm based on stand Co-training algorithm. The detection performance of all the two classifiers are improved through the Co-training Classification Multi-view method. The method works much better at the situation of sample-shortage.Some Android application software uses the DEX encryption and other means of reinforcement, resulting in the static feature extraction can not be achieved by decompile technique. To solve this problem, this paper proposes a dynamic feature extraction scheme, which implements the feature extraction of dynamic API view based on Zygote injection technology. The scheme is to install the APK samples into the test mobiles. A UI behavior simulation program which based on uiautomator framework and a system broadcast trigger program are developed to lead out of the potential API call behavior. Some security sensitive APIs is hooked by program which based on Xposed framework. In this way, the feature extraction on the dynamic API view is completed.Feature Filtering Reverse(RFF) algorithm is proposed in this paper to solve the problem of the bad influence of the partial redundancy feature on the performance of permission-based Android malware classifiers. RFF algorithm compares the characteristics of the full test results and the lack of a one dimensional feature detection results, then the results back to sample feature reconstruction module to the redundant features group to do a comprehensive comparison, eliminate the characteristic dimension of the worst impact on the performance of the classifier. Repeat comparison and elimination process until the classification performance is optimal. The algorithm removes the feature dimension of partial redundancy, improves the generalization ability of the classifier, and further improves the accuracy of detection of unknown malicious software. The experimental results show that the detection accuracy of the malicious software is improved by 8% after the removal of the redundant feature dimension by RFF algorithm. Experiments verify that Multi-view Co-training Classification is equally applicable to dynamic API views and permissions views.